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DETAILED ACTION 

1. This Office action is responsive to the following communication: Amendment filed on 14 August 
2006. 

Response to Amendment 

2. Claims 1-43 are pending and present for examination. 

3. Claims 1, 20, 24 and 40-43 are independent. 

4. Claims 9, 10, 31 and 32 are cancelled. 

5. Claims 44-46 have been added. 

6; Claims 1, 11, 20, 24 and 40-43 have been amended. 

Drawings 

7. As per the objection to the Drawings, Applicant's amendment has been acknowledged. 
Accordingly, the objection has been withdrawn. 

Claim Rejections - 35 USC§ 112 

8. - -The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

9. Claim 46 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing to 
particularly point out and distinctly claim the subject matter which applicant regards as the invention. 

10. As per dependent claim 46, it is unclear how any modification of a packet payload, 
aside from padding, would constitute nondestructive modifications since implementing 
modifications on the SQL query would result in bits of the payload packet to be changed (i.e. the 
bits are erased and a new bit inserted thereafter). Additionally, it is unclear how the control 
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information of the packet is left undisturbed since any access or processing by the 
aforementioned method would, in light of the broadest reasonable interpretation, constitute a 
disturbing of the control information. 



Claim Rejections - 35 USC § 101 

11. As per claim 42, Applicants amendment has been acknowledged. Accordingly, the rejection has 
been withdrawn. 



Claim Rejections - 35 USC§ 102 

12. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another 
filed in the United States before the invention by the applicant for patent or (2) a patent granted on an 
application for patent by another filed in the United States before the invention by the applicant for patent, 
except that an international application filed under the treaty defined in section 351(a) shall have the effects for 
■ purposes of this subsection of an application filed in the United States only if the international application 
'designated the United States and was published under Article 21(2) of such-treaty in the English language. * 

13. Claims 24-27, 30, 35 and 38-39 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Cook et al (U.S. Patent No. 6,820,082, hereinafter referred to as COOK), filed on 3 April 2000, and issued 
on 16 November 2004. 

14. As per independent claim 24, COOK teaches: 

A data security filter device for security enforcement for a persistent data repository 
comprising: 

an interceptor in the security filter operable to intercept, in a nonintrusive 

manner {See COOK, Figure 1}, 

a data access transaction between a user application and a data repository 

having data items {See COOK, col. 5, lines 42-67, wherein this reads over in part "access manager receives 
queries from the user interface, processes the queries as described below, and sends the modified queries or 
query to the data access manager"}; 

a security policy table responsive to the interceptor to determine if the 
intercepted data access transaction corresponds to the security policy table, the security 
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policy table indicative of restricted data items in the data repository to which the user 

application is prohibited access {See COOK, col. 2, lines 54-65, wherein this reads over "[t]he rule 
engine includes a plurality of security rules and is operable to evaluate the request against the plurality of rules 
. . , [which] are based on a relation between the user and the data"}; and 

a limiter operable to limit, based on the security policy, the data access 
transaction by modifying the data access transaction such that data indications, in the 
data access transaction, corresponding to restricted data items, according to the security 
policy table, are modified in a resulting data access transaction {See cook, col. 8, lines 46-61, 

wherein this reads over in part w [t]he access manager will combine this query with the security rule defined 
above to form the following modified query" and "returned data may also be filtered by applying additional 
security rules to the data"}, 

the security filter operable to manipulate the resulting data access 
transaction in a nonintrusive manner such that modifications performed on the data 
access transaction are undetectable to the user application and undetectable to the data 

repository (See COOK, Figure 1}. 

15. As per dependent claim 25, COOK teaches: 

The method of claim 1 wherein the security policy has rules {See cook, col. 9, lines 

2-3, wherein this reads over "[s]ecurity policies can be changed by simply modifying the rules within the rule 

engine"}, each of the rules including an object, a selection criteria and an action, the 

action indicative Of restricted data items {See COOK, col. 2, lines 61-65, wherein this reads over "a 
plurality of security rules ... to determine if the user has authority to perform requested action with respect to 
the data"}. 

16. As per dependent cla im 26, COOK teaches: 

The method of claim 1 wherein the data indications are references to data items 

in the data repository {See COOK, col. 5, lines 58-61, wherein this reads over "data obtained from the 

database to control access to the data by the user"} and limiting further includes qualifying the 
references to generate a modified request indicative of unrestricted data items, such that 
successive retrieval operations employing the qualified references do not retrieve 

restricted data items {See COOK, col. 7, lines 61-64, wherein this reads over "security constraints may be 
applied to the incoming query and processed in the access manager to form a modified query which is sent to 
the data manager"}. 

17. As per dependent cla im 27, COOK teaches: 

The method of claim 3 wherein the data access transaction is a data access 
statement operative to request data and limiting further comprises: 

identifying at least one rule, according to the security policy, 
^ corresponding to the data access statement, the identified rule restricting access 
to at least one of the data items indicated by the data access statement {See 

COOK, Table 1; col. 7, lines 42, wherein this reads over "object-level security applies to an entire row 
of data"; and col. 8, lines 34-35, wherein this reads over "[t]he rule engine includes the following 
user defined security rule for Table 2"}, and 

concatenating selection qualifiers to the data access statement 

Corresponding to the identified rule, {See COOK, col. 8, lines 45-53, wherein this reads over 
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"access manager will combine this query with the security rule defined above to form the following 

modified query for a user} the selection qualifiers operable to omit the restricted data 
items from the qualified references of the data access statement {See cook, col. 8, 

lines 57-59, wherein this reads over "the database which will return the sales data from rows 1 and 3 
of Table 2"}. 

18. As per dependent cla im 30, COOK teaches: 

The method of claim 2 wherein the actions are selectively indicative of 
modifications, the modifications further comprising attributes, operators, and operands, 
the limiting further comprising 

identifying data items corresponding to the attributes, each of the 
attributes associated with an operator and an operand {See cook, col. 8, lines 5i-53>; 

applying an operator specified for the data item to the operand specified 
for the data item {See cook, col. 8, lines 5i-53>; and 

determining, as a result of applying the operator, whether to eliminate 
the identified data item {See cook, col. 8, lines si-53}. 

19. As per dependent claim 35, COOK teaches: 

The method of claim 4 wherein intercepting the data access statement includes 

receiving an SQL query {See COOK, col. 8, lines 57-59, wherein this reads over "[t]he data 
manager will format this query as an SQL query and submit it to the database"} and 

limiting includes appending conditional selection statements to the SQL query, 
the conditional selection statements computed from the security policy, to generate the 

resulting data access transaction {See COOK, col. 8, liens 45-50, wherein this reads over "[t]he access 
manager will combine this query with the security rule defined above"}. 

20. As per dependent cla im 38, COOK teaches: 

The method of claim 1 wherein intercepting occurs in a data path between a 
source of the data access transaction and a destination of the resulting data access 
transaction, and limiting occurs in a component separate from the source and destination 

{See COOK, Figure 1}. 

21. As per dependent claim 39, COOK teaches: 

The method of claim 17 wherein the component separate from the source and 
destination is a separate network device than the components corresponding to the 
source and destination {See cook, Figure 1}. 
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Claim Rejections - 35 USC§ 103 

22. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

41- 

23. Claims 1-4, 7-8, 11-12, 15-19, 33-34y^nd 44-46 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over COOK, in view of Bechtolsheim et al (U.S. Patent No. 7,043,541, hereinafter 
referred to as BECHTOLSHEIM), filed on 21 September 2000, and issued on 9 May 2006. 

24. As per independent claim 1, COOK, in combination with BECHTOLSHEM, discloses: 

A method (and computer program product, computer data signal, or data security filter 
device) of security enforcement for a persistent data repository comprising: 

intercepting, in a nonintrusive manner, a data access transaction between a user 
application and a data repository having data items {See cook, col. 5, lines 42-67, wherein this 

reads over in part "access manager receives queries from the user interface, processes the queries as described 
below, and sends the modified queries or query to the data access manager"}; 

determining if the intercepted data access transaction corresponds to a security 
policy, the security policy indicative of restricted data items in the data repository to 

Which the User application iS prohibited access {See COOK, col. 2, lines 54-65, wherein this reads 
over "[t]he reul engine includes a plurality of security rules and is operable to evaluate the request against the 
plurality of rules . . . [which] are based on a relation between the user and the data"}; and 

limiting, based on the security policy, the data access transaction by modifying 
the data access transaction such that data indications, in the data access transaction, 
corresponding to restricted data items, according to the security policy, are modified in a 

resulting data access transaction {See COOK, col. 8, lines 46-61, wherein this reads over in part "[t]he 
access manager will combine this query with the security rule defined above to form the following modified 
query" and "returned data may also be filtered by applying additional security rules to the data"> according 

to the security policy, limiting the data access transaction further including: 

receiving a set of packets, the packets encapsulating the data access 

transaction according tO layered protocols {See COOK, col. 5, lines 42-67, wherein this 
reads over in part "access manager receives queries from the user interface, processes the queries as 
described below, and sends the modified queries or query to the data access manager"}; 



interrogating and modifying the packets in a nondestructive manner with 

respect tO the layered Protocols {See COOK, col. 8, lines 45-50, wherein this reads over 
"[t]he access manager will combine this query with the security rule defined above"}; and 
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padding the packets for accommodating elimination of the restricted 
data items to generate the resulting data access transaction {See bechtolshem, col. 

8, lines 47-48, wherein this reads over "[s]hort packets are padded to 64 bytes"}. 

The combination of the inventions disclosed in COOK and BECHTOLSHEM would disclose a 
method wherein packets are modified in a nondestructive manner by padding the packets to 
accommodate the addition of restrictive limiting language to the query. Therefore, it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to combine the inventions 
suggested by COOK and BECHTOLSHEM. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
changes in the query may be nondetectable yet still be modified to include the restrictive language of the 
security policy. 

25. As per dependent claim 2, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the security policy has rules {See cook, col. 9, lines 

2-3, wherein this reads over "[s]ecurity policies can be changed by simply modifying the rules within the rule 

engine"}, each of the rules including an object, a selection criteria and an action, the 

action indicative Of restricted data . items {See COOK, col. 2, lines 61-65, wherein this reads over "a 
plurality of security rules ... to determine if the user has authority to perform requested action with respect to 
the data"}. 

26. As per dependent claim 3, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the data indications are references to data items 

in the data repository {See COOK, col. 5, lines 58-6 1, wherein this reads over "data obtained from the 

database to control access to the data by the user"} and limiting further includes qualifying the 
references to, generate a modified request indicative of unrestricted data items, such that 
successive retrieval operations employing the qualified references do not retrieve 

restricted data items {See COOK, col. 7, lines 61-64, wherein this reads over "security constraints may be 
applied to the incoming query and processed in the access manager to form a modified query which is sent to 
the data manager"}. 

27. As per dependent claim 4, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 3 wherein the data access transaction is a data access 
statement operative to request data and limiting further comprises: 

identifying at least one rule, according to the security policy, 
corresponding to the data access statement, the identified rule restricting access 
to at least one of the data items indicated by the data access statement {See 

COOK, Table 1; col. 7, lines 42, wherein this reads over "object-level security applies to an entire row 
of data"; and col. 8, lines 34-35, wherein this reads over "[t]he rule engine includes the following 
user defined security rule for Table 2"}, and 



Application/Control Number: 10/723,521 
Art Unit: 2161 



Page 8 



concatenating selection qualifiers to the data access statement 

corresponding tO the identified rule, {See COOK, col. 8, lines 45-53, wherein this reads over 
"access manager will combine this query with the security rule defined above to form the following 

modified query for a user"} the selection qualifiers operable to omit the restricted data 
items from the qualified references of the data access statement {See cook, col. 8, 

lines 57-59, wherein this reads over "the database which will return the sales data from rows 1 and 3 
of Table 2"}. 

28. As per dependent claim 7, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 2 wherein the actions are selectively indicative of 
modifications, the modifications further comprising attributes, operators, and operands, 
the limiting further comprising 

identifying data items corresponding to the attributes, each of the 
attributes associated with an operator and an operand {see cook, col. 8, lines 51-53}; 

applying an operator specified for the data item to the operand specified 
for the data item {See cook, col. 8, lines 51-53}; and 

determining, as a result of applying the operator, whether to eliminate 
the identified data item {See cook, col. 8, lines 51-53}. 

29. As per dependent claim 8, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the nonintrusive manner is undetectable to the 
user application and undetectable to the data repository {See cook, Figure 1}. 

30. As per dependent claims 11 and 34, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 10 wherein generating the resulting data access transaction 
preserves the encapsulating layered protocol associating the packets without employing a 
proxy for regenerating the sequence of packets {See cook, col. 8, lines 57-59, wherein this reads 

over "return the sales data from rows 1 and 3"\ 

The combination of the inventions disclosed in COOK and BECHTOLSHEM would disclose a 
method wherein the encapsulating layered protocol is preserved without employing a proxy. Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
combine the inventions suggested by COOK and BECHTOLSHEM. 

One of ordinary skill in the art would have been motivated to do this modification so that 
a proxy need not be necessarily employed in generating a resulting data access transaction. 

31. As per dependent claim 12, COOK, in combination with BECHTOLSHEM, discloses: 
The method of claim 4 wherein intercepting the data access statement includes 
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receiving an SQL query {See COOK, col. 8, lines 57-59, wherein this reads over "[t]he data 
manager will format this query as an SQL query and submit it to the database"} and 

limiting includes appending conditional selection statements to the SQL query, 
the conditional selection statements computed from the security policy, to generate the 

resulting data access transaction {See COOK, col. 8, liens 45-50, wherein this reads over M [t]he access 
manager will combine this query with the security rule defined above"}. 

32. As per dependent claim 15, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the nonintrusive manner is such that the 
intercepting and limiting occurs undetectable to both the source and the destination of 
the data access transaction {See cook, Figure i}. 

33. As per dependent claim 16, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein intercepting further comprises: 

establishing an identification exchange intended for interception and operable to 
transmit an identification token indicative of an application user {See cook, Tables 3 and 4; 

col. 4, lines 60-61, wherein this reads over "the user ... is identifiable by a user ID"; and col. 8, lines 34-53}; 

and 

parsing, as part of the intercepting, the identification exchange to extract the 
identification token {See cook, Tables 3 and 4, and col. 8, lines 34-53}, wherein the identification 
exchange is benign to the data repository {See cook, col. io, line 66 - col. n, line 13, wherein this 

reads over "further filter the data returned from the database by removing information that is not available to 
the user"}. 

34. As per dependent claim. 17, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein intercepting occurs in a data path between a 
source of the data access transaction and a destination of the resulting data access 
transaction, and limiting occurs in a component separate from the source and destination 

{See COOK, Figure 1}. 

35. As per dependent cla im 18, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 17 wherein the component separate from the source and 
destination is a separate network device than the components corresponding to the 
source and destination {see cook, Figure i}. 

36. As per dependent claim 19, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the restricted data items are eliminated from the 
resulting data access transaction {See cook, Figure i}. 



37. 



As per dependent claim 33, COOK, in combination with BECHTOLSHEM, discloses: 
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The method of claim 1 wherein limiting the data access transaction further 
includes receiving a set of packets, the packets encapsulating the data access transaction 
according to layered protocols; 

interrogating and modifying the packets in a nondestructive manner with 

respect tO the layered protocols {See COOK, col. 8, liens 45-50, wherein this reads over 
"[t]he access manager will combine this query with the security rule defined above"}; and 

padding the packets for accommodating elimination of the restricted 
data items to generate the resulting data access transaction {See bechtolshem, col. 

8, lines 47-48, wherein this reads over "[s]hort packets are padded to 64 bytes"}. 

38. As per dependent claim 42, see the rejections of related claims 1 and 44 herein. 

39. As per dependent claim 44, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein the nonintrusive manner is undetectable to the 
user application and undetectable to the data repository, the nonintrusive manner such 
that the intercepting and limiting occurs undetectable to both the source and the 
destination of the data access transaction, wherein intercepting occurs in a data path- 
between a source of the data access transaction and a destination of the resulting data 
access transaction, and limiting occurs in a component separate from the source and 
destination, and the component separate from the source and destination is a separate 
network device than the components corresponding to the source and destination {see 

COOK, Figure 1}. 

40. As per dependent claim 45, COOK, in combination with BECHTOLSHEM, discloses: 

The method of claim 1 wherein padding the packet further comprises 
nondestructive^ modifying the packet such that the packet appears undisturbed to the 

receiver {See BECHTOLSHEM, Abstract, wherein this reads over "modifying the packet by inserting a header 
in place of some or all of an unused portion of a preamble within the packet"}. 

41. As per dependent claim 46, it would be inherent that a SQL query is modified, the payload of 
the packet is modified as well. Additionally, it is inherent to the claimed invention that during the 
modification process that the control information has yet to have been accessed and disturbed. That is, 
during the process of packets, there is an inherent lag which would provide for a time when the control 
information is left undisturbed. 

42. Claims 5-6 are rejected under 35 U.S.C. 103(a) as being unpatentable over COOK and 
BECHTOLSHEM, and in view of Fisher et al (U.S. Patent No. 6,085,191, hereinafter referred to as 
FISHER), filed on 25 March 1998, and issued on 4 July 2000. 
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COOK and BECHTOLSHEM differ from the claimed invention in that they fail to specifically 
disclose a method wherein identified rows are eliminated from the data access transaction (claims 5-6). 

43. As per dependent claim 5, COOK, in combination with BECHTOLSHEM and FISHER, discloses: 

The method of claim 1 wherein the data indications are rows of data retrieved 
from the data repository, and limiting further comprises: 

identifying rows having restricted data items {See fisher, col. 3, lines 29-35, wherein 

this reads over "[e]ach view defines a subset of rows in the database tables that are accessible when using this 

view"}, and 

' eliminating the identified rows from the data access transaction {See fisher, col. 19, 

lines 39-49, wherein this reads over "[v]iews can also be used to limit the columns and rows of database tables 

that are accessible to users"} such that the resulting data access transaction is a modified 
query response including rows without restricted data items {See cook, col. 8, lines 45-50, 

wherein this reads over "access manager will combine this query with the security rule defined above to form 
the following modified query"}. 

The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein limiting access to and eliminating rows of data from the data access transaction would comprise 
the application applying a view, which defines a subset of rows in the database tables that are accessible, 
and applying rules of a security policy to the response to further limit access to the identified rows. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was 
made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have-been motivated to do this modification in order to limit 
access to identified rows. 

44. As per dependent claim 6, COOK, in combination with BECHTOLSHEM and FISHER, discloses: 

The method of claim 5 wherein the data access transaction is a data query 
response including a row set and limiting further comprises: s 

comparing each of the rows in the row set to the rules of the security policy {See 

COOK, col. 8, lines 57-59, wherein this reads over "data manager will format this query as an SQL query and 
submit it to the database which will return the sales data from rows 1 and 3 of Table 2"}; and 

selectively eliminating rows in the row set including the restricted data items, 
based on the comparing, to generate a modified query response including a filtered row 

Set {See COOK, col. 8, lines 45-50, wherein this reads over "access manager will combine this query with the 
security rule defined above to form the following modified query"}. 
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The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein the row set of the data query response is compared to and filtered by the rules of the security 
policy. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have been motivated to do this modification in 
order to limit access to identified rows. 

45. Claim 13 is rejected under 35 U.S.C. 103(a) as being unpatentable over COOK and 
BECHTOLSHEM, in view of Slutz (U.S. Patent No. 6,581,052, hereinafter referred to as SLUTZ), filed on 2 
October 2000, and issued on 17 June 2003. 

46. As per dependent claim 13, COOK, in combination with BECHTOLSHEM and SLUTZ, discloses: 
The method of claim 12 further comprising: 

building a parse tree corresponding to the SQL query {See slutz, Figures 6 and 8}; 
adding nodes in the parse tree corresponding to the appended conditional 

Selection Statements {See SLUTZ, col. ll, lines 3-14, wherein this reads over "updates the statement 
according to the choices made . . . [wherein] a choice at each current node adds a term to the statement's 
parse tree"}; arid 

reprocessing the parse tree to generate the resulting data access transaction {See 

SLUTZ, Figure 6; and cot. 9, lines 26-29, wherein this reads over "outputs a representation of the statement to 
program as the statement is generated"}. 

The combination of the inventions disclosed in COOK and SLUTZ would disclose a method for 
building a parse tree corresponding to the SQL query and adding nodes corresponding to the appended 
conditional selection statements. Therefore, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to combine the inventions suggested by COOK and SLUTZ. 

One of ordinary skill in the art would have been motivated to do this modification so that 
the appended conditional selection statements may be added as nodes to the parse tree. 

47. Claims 14 and 43 are rejected under 35 U.S.C. 1031(a) as being unpatentable over COOK and 
BECHTOLSHEM, in view of Fisher et al (U.S. Patent No. 6,085,191, hereinafter referred to as FISHER), 
filed on 25 March 1998, and issued on 4 July 2000. 
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48. As per dependent claim 14, COOK, in combination with BECHTOLSHEM and FISHER, 
discloses: 

The method of claim 6 wherein intercepting the data query response further comprises: 
intercepting the data query response from the data repository as the data access 

transaction {See FISHER, col. 28, lines 53-64, wherein this reads over "Step 1612 . . . which intercepts a 
user access request to access management information stored in managed objects stored in a desired table in 
the database"}/ 

the data query response encapsulated as a row set having rows from a relational 

database query {See COOK, col. 8, lines 57-59, wherein this reads over "return the sales data from rows 1 

and 3"} and further wherein limiting includes 

discarding rows in the row set having restricted data items {See cook, col. 

8, lines 45-50, wherein this reads over "access manager will combine this query with the security rule 
defined above to form the following modified query"} and 

transmitting the remaining rows to the user as the resulting data access 

transaction {See COOK, Figure 6, step 122; and col. 11, lines 10-12, wherein this reads over 
"[t]he page generator outputs a page formatted using visible data from the database"}. 

The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein the data query response from the data repository is intercepted and rows are discarded 
accordingly. Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have been motivated to do this modification in so 
that restricted data items may be eliminated and the remaining rows transmitted to the user. 

49. As per dependent claim 43, see the related rejections of claims 1, 5 and 45. 

50. Claims 20-23, 36 and 40-41 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
COOK, in view of SLUTZ. 

COOK differs from the claimed invention in that COOK fails to disclose a method for building a 
parse tree (claims 20, 36 and 40). 

51. As per independent claim 20, COOK, in combination with SLUTZ, discloses: 

A method for nonintrusive implementation of data level security enforcement comprising: 

defining a security policy between an application and a data repository the 
security policy having rules indicative of restricted data items {See cook, col. 9, lines 2-3, 



Application/Control Number: 10/723,521 
Art Unit: 2161 



Page 14 



wherein this reads over "[security policies can be changed by simply modifying the rules within the rule 

engine"}, the rules associated with attributes and conditions {See cook, col. 8, lines 51-53}; 

identifying an entry point between the data repository and the application {See 

COOK, Figure 1, Element 70}; 

deploying a security filter at the entry point, the security filter operable to receive 
data manipulation messages between the application and the data repository {See cook, 

Figure 1, Element 70}; 

the security filter further operable to limit data exposure by the data repository 
by selectively modifying the data manipulation messages into conformance with the 

Security policy {See COOK, Table 1; col. 7, lines 42, wherein this reads over "object-level security applies to 
an entire row of data"; and col. 8, lines 34-35, wherein this reads over "[t]he rule engine includes the following 

user defined security rule for Table 2"}, the limiting further comprising: 

sniffing the entry point to determine data manipulation messages {See 

COOK, col. 8, lines 51-53}; 

intercepting the sniffed data manipulation messages in a nondestructive 

manner {See COOK, col. 5, lines 42-67, wherein this reads over in part "access manager receives 
queries from the user interface, processes the queries as described below, and sends the modified 
queries or query to the data access manager"}; 

comparing the sniffed messages to the rules in the security policy to 
determine if the sniffed data manipulation message includes restricted data items 

{See COOK, col. 2, lines 54-65, wherein this reads over "[t]he reul engine includes a plurality of 
security rules and is operable to evaluate the request against the plurality of rules . . . [which] are 
based on a relation between the user and the data"}; 

determining if the sniffed messages match at least one of the rules of 

the Security policy {See COOK, col. 2, lines 61-65, wherein this reads over "a plurality of security 
rules . . .to determine if the user has authority to perform requested action with respect to the 
data"}; 

selectively modifying, if the determining indicates a match between the 
rules and the data manipulating message, the data manipulation message to 
remove the matching restricted data item {See cook, col. 8, lines 46-6 i, wherein this 

reads over in part "[t]he access manager will combine this query with the security rule defined above 
to form the following modified query" and "returned data may also be filtered by applying additional 

security rules to the data"}, modifying further including: 

building a parse tree corresponding to the SOL guerv {See slutz, 

Figures 6 and 8}; 

adding nodes in the parse tree corresponding to the appended 

Conditional Selection Statements {See SLUTZ, col. ll, lines 3-14, wherein this reads 
over "updates the statement according to the choices made . . . [wherein] a choice at each 
current node adds a term to the statement's parse tree"}; and 
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reprocessing the parse tree to generate the resulting data access 

transaction {See Slinrz, Figure 6; and col. 9, lines 26-29, wherein this reads over 
"outputs a representation of the statement to program as the statement is generated"}. 

The combination of the inventions disclosed in COOK and SLUTZ would disclose a method for 
building a parse tree corresponding to the SQL query and adding nodes corresponding to the appended 
conditional selection statements. Therefore, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to combine the inventions suggested by COOK and SLUTZ. 

One of ordinary skill in the art would have been motivated to do this modification so that 
the appended conditional selection statements may be added as nodes to the parse tree. 

52. As per dependent claim 21, COOK, in combination with SLUTZ, discloses: 

The method of claim 2 wherein the actions are selectively indicative of 
modifications, the modifications further comprising attributes, operators, and operands, 
the limiting further comprising 

identifying data items corresponding to the attributes, each of the 
attributes associated with an operator and an operand {See cook, col. 8, lines 5i-53>; 

applying an operator specified for the data item to the operand specified 
for the data item {See cook, col. 8, lines 51-53}; and 

determining, as a result of applying the operator, whether to eliminate 
the identified data item {See cook, col. 8, lines 51-53}. 

53. As per dependent claim 22, COOK, in combination with SLUTZ, discloses: 
The method of claim 20 wherein modifying further comprises: 

reconstructing a request query corresponding to a query syntax {See cook, col. 8, 

lines 45-53, wherein this reads over "access manager will combine this query with the security rule defined 
above to form the following modified query for a user"}; and 

adding limiters to the request query corresponding to the matching rules of the 

security policy {See COOK, col. 8, lines 45-53, wherein this reads over "access manager will combine this 
query with the security rule defined above to form the following modified query for a user"}, the adding 

performed in a nondestructive manner such that the modification is undetectable to the 

data repository {See COOK, Figure 1}. 

54. As per dependent claim 23, COOK, in combination with SLUTZ, discloses: 
The method of claim 20 wherein modifying further comprises: 

identifying a data retrieval response encapsulated in a layered protocol on the 

data manipulation message {See COOK, col. 5, lines 42-67, wherein this reads over in part "access 
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manager receives queries from the user interface, processes the queries as described below, and sends the 
modified queries or query to the data access manager"}; and 

reconstructing the data retrieval response by deleting restricted data items from 
the data retrieval response, the reconstructing performed in a nondestructive manner 
undetectable to the application and conforming to the encapsulating layered protocol {See 

COOK, col. 8, lines 1-2, wherein this reads over "the remaining security constraints applied to the obtained 
data"}. 

55. As per dependent claim 36, COOK, in combination with SLUTZ, discloses: 
The method of claim 12 further comprising: 

building a parse tree corresponding to the SQL query {See sllttz, Figures 6 and 8}; 
adding nodes in the parse tree corresponding to the appended conditional 

selection Statements {See SLUTZ, col. ll, lines 3-14, wherein this reads over "updates the statement 
according to the choices made . . . [wherein] a choice at each current node adds a term to the statement's 
parse tree"}; and 

reprocessing the parse tree to generate the resulting data access transaction {See 

SLUTZ, Figure 6; and col. 9, lines 26-29, wherein this reads over "outputs a representation of the statement to 
program as the statement is generated"}. 

The combination of the inventions disclosed in COOK and SLUTZ would disclose a method for 
building a parse tree corresponding to the SQL query and adding nodes corresponding to the appended 
conditional selection statements. Therefore, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to combine the inventions suggested by COOK and SLUTZ. 

One of ordinary skill in the art would have been motivated to do this modification so that 
the appended conditional selection statements may be added as nodes to the parse tree. 

56. As per independent claims 40-41, COOK, in combination with SLUTZ, discloses: 

A method for nonintrusive implementation of data level security enforcement comprising 

defining a Security policy having rules {See COOK, col. 9, lines 2-3, wherein this reads over 
"[s]ecurity policies can be changed by simply modifying the rules within the rule engine"}, the rules further 

specifying attributes and conditions {See cook, col. 8, lines 51-53}; 

intercepting a data retrieval request {See COOK, col. 5, lines 42-67, wherein this reads over 
in part "access manager receives queries from the user interface, processes the queries as described below, 
and sends the modified queries or query to the data access manager"}; 

comparing the data retrieval request to the security policy {See cook, col. 2, lines 54- 

65, wherein this reads over "[t]he reul engine includes a plurality of security rules and is operable to evaluate 
the request against the plurality of rules . . . [which] are based on a relation between the user and the data"}; 
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determining if the data retrieval request corresponds to at least one of the rules 

Of the security policy {See COOK, col. 2, lines 54-65, wherein this reads over "[t]he reul engine includes a 
plurality of security rules and is operable to evaluate the request against the plurality of rules . . . [which] are 
based on a relation between the user and the data"}; 

identifying, via a parse tree {See slittz, Figures 6 and 8}, selectivity operators 

indicative Of the data to be retrieved {See SLITTZ, Figures 6 and 8; COOK, col. 8, lines 51-53}; 

modifying the parse tree according to the corresponding rule to generate a 

modified data retrieval request {See SLITTZ, col. 11, lines 3-14, wherein this reads over "updates the 
statement according to the choices made . . . [wherein] a choice at each current node adds a term to the 
statement's parse tree"}; and 

forwarding the modified data retrieval request to the data repository for 
subsequent retrieval and transport to the requesting user {See cook, Figure i}, modifying 
the parse tree further including 

building a parse tree corresponding to the SOL query {See slittz, Figures 6 

and 8}; 

adding nodes in the parse tree corresponding to the appended 

Conditional Selection Statements {See SLITTZ, col. U, lines 3-14, wherein this reads over 
"updates the statement according to the choices made . . . [wherein] a choice at each current node 
adds a term to the statement's parse tree"> ; and 

reprocessing the parse tree to generate the resulting data access 

transaction {See SLUTZ, Figure 6; and col. 9, lines 26-29, wherein this reads over "outputs a 
representation of the statement to program as the statement is generated") by modifying the 

packet content to being delivered to the database consistent with the original • 
data retrieval request . 

The combination of the inventions disclosed in COOK and SLITTZ would disclose a method for 
building a parse tree corresponding to the SQL query and adding nodes corresponding to the appended 
conditional selection statements. Therefore, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to combine the inventions suggested by COOK and SLUTZ. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
appended conditional selection statements may be added as nodes to the parse tree, and consequently 
generating a retrieval request from the aforementioned parse tree, to be forward to the data repository 
for subsequent retrieval and transport of data items to the requesting user. 

57. Claim 28-29 and 37 are rejected under 35 U.S.C. 103(a) as being unpatentable over COOK, in 



view of FISHER. 
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COOK differs from the claimed invention in that COOK fails to disclose a method for identifying 
rows having restricted data items and eliminating the identified rows from the data access transaction 
(claim 28). 

COOK differs from the claimed invention in that COOK fails to disclose a method for intercepting 
the data query response from the data repository as the data access transaction (claim 37). 

58. As per dependent claim 28, COOK, in combination with FISHER, discloses: 

The method of claim 1 wherein the data indications are rows of data retrieved 
from the data repository, and limiting further comprises: 

identifying rows having restricted data items {See fisher, coi. 3, lines 29-35, wherein 

this reads over "[e]ach view defines a subset of rows in the database tables that are accessible when using this 

view"}, and 

eliminating the identified rows from the data access transaction {See fisher, col. 19, 

lines 39-49, wherein this reads over "[v]iews can also be used to limit the columns and rows of database tables 

that are accessible to users"} such that the resulting data access transaction is a modified 
query response including rows without restricted data items {see cook, col. 8, lines 45-50, 

wherein this reads over "access manager will combine this query with the security rule defined above to form 
the following modified query"}. 

The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein limiting access to and eliminating rows of data from the data access transaction would comprise 
the application applying a view, which defines a subset of rows in the database tables that are accessible, 
and applying rules of a security policy to the response to further limit access to the identified rows. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was 
made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have been motivated to do this modification in order to limit 
access to identified rows. 

59. As per dependent claim 29, COOK, in combination with FISHER, discloses: 

The method of claim 5 wherein the data access transaction is a data query 
response including a row set and limiting further comprises: 

comparing each of the rows in the row set to the rules of the security policy {See 

COOK, col. 8, lines 57-59, wherein this reads over "data manager will format this query as an SQL query and 
submit it to the database which will return the sales data from rows 1 and 3 of Table 2"}; and 
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selectively eliminating rows in the row set including the restricted data items, 
based on the comparing, to generate a modified query response including a filtered row 

Set {See COOK, col. 8, lines 45-50, wherein this reads over "access manager will combine this query with the 
security rule defined above to form the following modified query"}. 

The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein the row set of the data query response is compared to and filtered by the rules of the security 
policy. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have been motivated to do this modification in 
order to limit access to identified rows. 

60. As per dependent claim 37, COOK, in combination with FISHER, discloses: 

The method of claim 6 wherein intercepting the data query response further comprises: 
intercepting the data query response from the data repository as the data access 

transaction {See FISHER, col. 28, lines 53-64, wherein this reads over "Step 1612 . . . which intercepts a 
user access request to access management information stored in managed objects stored in a desired table in 
the database' 7 }, 

the data query response encapsulated as a row set having rows from a relational 

database query {See COOK, col. 8, lines 57-59, wherein this reads over "return the sales data from rows 1 

and 3"} and further wherein limiting includes 

discarding rows in the row set having restricted data items {See cook, col. 

8, lines 45-50, wherein this reads over "access manager will combine this query with the security rule 
defined above to form the following modified query"} and 

transmitting the remaining rows to the user as the resulting data access 

transaction {See COOK, Figure 6, step 122; and col. 11, lines 10-12, wherein this reads over 
"[t]he page generator outputs a page formatted using visible data from the database"}. 

The combination of the inventions disclosed in COOK and FISHER would disclose a method 
wherein the data query response from the data repository is intercepted and rows are discarded 
accordingly. Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to combine the inventions suggested by COOK and FISHER. 

One of ordinary skill in the art would have been motivated to do this modification in so that 
restricted data items may be eliminated and the remaining rows transmitted to the user. 
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Response to Arguments 

61. Applicant's arguments filed 14 August 2006 have been fully considered but they are not 
persuasive. 

a. Applicant's Arguments: 

i. 35 U.S.C. 102(e) based on Cook 

As per claim 1, Applicant asserts the argument that Cook fails to show, teach, or 
disclose the method of intercepting in a nonintrusive manner (Amendment, page 16). 

ii. 35 U.S.C. 103(a) based on Cook in view of Bechtolsheim 

As per claim 10, Applicant asserts the argument that Bechtolsheim destructively 
modifies the packet, by inserting a header in place of a preamble within the packet 
(Amendment, page 18). 

As per claim 24, Applicant asserts the argument that the method of claim 1 is not 
bound to a predetermined GUI for supplying anticipated files in an expected form, but is 
generally applicable to transactions generated by a user and directed to a database by 
applying a process known as "sniffing the wire" (Amendment, page 19). 
Hi. 35 U.S.C. 103(a) based on Cook in view of Slutz 

As per claims 13 and 40, Applicant asserts the argument that Slutz is not 
applicable because it discloses test systems, not security implementations (Amendment, 
page 20). 

b. Response to Arguments: 

i. 35 U.S.C. 102(e) based on Cook 

As per claim 1 and Applicant's assertion that Cook fails to show/teach, or 
disclose the method of intercepting in a nonintrusive manner, Applicant is directed to 
Figures 1-3 of Applicant's claimed invention which discloses a method wherein a 
"Security Filter," (Figure 1, element 16) intercepts a data access transaction (Figure 2, 
step 100) and based on the security policy, limits the data access transaction (Figure 2, 
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step 103). Similarly, Cook discloses an invention which comprises of an application 
server configured to interface wit ha client (user) browser and a database. The access 
manager of the rule engine of the application server is used to filter data and "ensure 
that only appropriate data is provided to the user" (Cook, C5:L50-51). Specifically, the 
access manager, comparable to the "Security Filter" of Applicants claimed invention, 
intercepts the query from the user interface, and subsequently transmits queries 
modified by certain set rules. 

Moreover, Applicant presents conflicting and inconsistent arguments with regards 
to the disclosed invention. Applicant in one assertion states that "the disclosed 
configuration . . . neither takes invasive measures that disrupt the connection or 
detectably modify the packet" while in a subsequent assertion states that "the 
configuration of Claim 1 . . . merely inspects the incoming request in a non-intrusive 
manner to apply the rules to inspect and optionally, either allow the communication 
through or not." The assertions of the Applicant fail to further clarify the disclosed 
invention in that it is unclear how the disclosed configuration could not allow the 
communication through but not disrupt the connection. That is, the process of blocking 
a communication in itself would constitute an invasive measure. 

Additionally, Applicant asserts that the claimed invention is distinguishable from 
the disclosed invention in Cook, specifically the "manipulations and operations of the data 
in the database occurring from the application code in the server" (Amendment, page 
17). Applicant is directed to Cook which discloses the method wherein: 

"The access manager 86 receives queries from the user interface 76, processes the queries 
as described below, and sends the modified queries or query to the data access 
manager 80. The data access manager 80 transfers the results obtained from the 
database 74 to the access manager 86 which may then process the results to further 
limit the returned information." (Cook, C5:L51-57). 

The above disclosure in Cook similarly allows from the application of rules to 
inspect the queries as is found in Applicant's claimed invention. 
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Furthermore, Applicant asserts that "[t]he claimed mechanism is never a party to 
the database connection pair and is therefore non-intrusive to the database connection." 
However, should the claimed mechanism never be a part to the database connection 
pair, the claimed mechanism would be unable to limit the database access transaction 
based upon a set security policy. Such an argument would result in the claimed 
invention being inoperative and present an enablement issue under 35 U.S.C. 101. 
Additionally, with the addition of claim 44 which claims the use of a "separate network 
device" in intercepting and limiting the data access transaction, one of ordinary skill in 
the art would arguably conclude that the aforementioned network device would 
constitute a party and could not take the status of a non-party for the reasons set forth 
above. 

Finally, the Office notes Applicant's interpretation of the term "non-intrusive." 
However, the term u non-intrusive" under its broadest reasonable interpretation could 
mean to one of ordinary skill in the art that the disallowance of a data access transaction 
would not fall with the scope of inspecting an incoming request in a non-intrusive 
manner. That is, the means of intercepting and blocking the data access transaction by 
the disclose configuration would be intrusive to the a request for data access, 
ii. 35 U.S.C. 103(a) based on Cook in view of Bechtolsheim 

As per claim 10 and Applicant assertion that Bechtolsheim destructively modifies 
the packet, by inserting a header in place of a preamble within the packet, Applicant is 
directed to Bechtolsheim which states the following: 

"The method includes receiving an Ethernet packet at a network element and modifying 
the packet by inserting a header in place of some or all of an unused portion of a 
preamble within the packet" (Bechtolsheim, Abstract). 

Applicant has summarily taken the reference out-of-context and has 
misconstrued and misapplied the invention disclosed by Bechtolsheim. Bechtolsheim 
discloses a method wherein a header is inserted into an unused portion of the preamble. 
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The aforementioned modification is non-destructive since it uses unused space of a 
preamble instead of "obliterating the contents of the former original packet preamble" 
(Amendment, page 18). That is, the method of modification found in Bechtolsheim 
provides a non -destructive, or a per se CONSTRUCTIVE means of modifying the packet. 
Furthermore, the inclusion of Claim 10 into Claim 1 by amendment fails to disclose that 
the packet modifications appear to be "UNCHANGED to the recipient" (Amendment, page 
18) and thus Applicant continues to assert matter which is not recited in the rejected 
claim(s). Although the claims are interpreted in light of the specification, limitations from 
the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 
USPQ2d 1057 (Fed. Cir. 1993). For the aforementioned reasons, Applicant's argument is 
unpersuasive and the rejection of Claim 1 as amended is sustained under 35 U.S.C. 
103(a). 

As per claim 24, it is unclear how the Applicant could properly assert that 
Bechtolsheim's method of modifying the packet is distinguishable and falls outside the 
scope of the claimed invention when the claimed invention similarly claims a method of 
modifying and padding the packets. The fact that modifications performed on a data 
access transaction are undetectable to a user application and a data repository is a 
matter of perspective since without some sort of verification by either elements that a 
certain transaction was submitted, the elements would fail to detect any modifications to 
the query or response. 

Additionally, Applicant asserts that Cook "does not show, teach, or disclose a 
limiter for limiting the data access transaction such that data indications (i.e. data 
references or items) are modified in a resulting data access transaction)" and "the 
scrutiny or inspection of the Cook '082 system is limited to the fields provide by the 
integrated GUI" (Amendment, page 19). Applicant is directed to Figure 2 of the claimed 
invention which discloses a method wherein a determination is made as to whether the 
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intercepted data access transaction corresponds to a security policy (Figure 2, step 102). 
It is inherent to the system, in a likewise fashion, is limited to the fields provided by the 
aforementioned security policy. 

For the aforementioned reasons, Applicant's argument is unpersuasive and the 
rejection of Claim 24 as amended is sustained under 35 U.S.C. 102(e). 
iii. 35 U.S.C. 103(a) based on Cook in view of Slutz 

As per claims 13 and 40, Applicant asserts the argument that Slutz is not 
applicable because it builds the structure of the parse tree first, then converts the parse 
tree to SQL statements, it is noted that the features upon which applicant relies are not 
recited in the rejected claim(s). That is, claims 13 and 40 merely recite "building a parse 
tree corresponding to the SQL query." Although the claims are interpreted in light of the 
specification, limitations from the specification are not read into the claims. See In re 
Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

Applicant further argues that "if one did combine the building of a parse tree 
with Cook, the result would be inoperable because there would be no initial SQL 
statement for which to apply the Cook method" (Amendment, page 20). Applicant is 
directed to Cook, column 8, lines 57-59, which discloses a method wherein "[t]he data 
manager will format this query as an SQL query and submit it to the database." 
Therefore, the disclosed invention of Slutz could readily receive the SQL query formatted 
by the data manager to build a parse tree as claimed in Claims 13 and 40. 

As per Claims 17 and 18, Applicant asserts that Cook "does not show, teach, or 
disclose a limiter for limiting the data access transaction such that data indications (i.e. 
data references or items) are modified in a resulting data access transaction)" and 'the 
scrutiny or inspection of the Cook '082 system is limited to the fields provide by the 
integrated GUI" (Amendment, page 19). Applicant is directed to Figure 2 of the claimed 
invention which discloses a method wherein a determination is made as to whether the 
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intercepted data access transaction corresponds to a security policy (Figure 2, step 102). 
It is inherent to the system, in a likewise fashion, is limited to the fields provided by the 
aforementioned security policy. Furthermore, Applicant's argument, regarding the 
assertion that the claimed configuration disposes the rule based processing entity before 
the GUI, is moot since it is noted that the features upon which applicant relies are not 
recited in the rejected claim(s). Although the claims are interpreted in light of the 
specification, limitations from the specification are not read into the claims. See In re 
Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

As per claim 43, Applicant asserts that Cook limits data retrieval "by narrowing 
the selection of the query REQUEST to fetch fewer rows, [and] not by eliminating already 
fetched rows in the query RESPONSE" (Amendment, page 21). However, with the 
combination of the disclosed invention found in Fisher, one of ordinary skill in the art 
would be able understand that a view may be applied to a returned subset of data to 
restrict access to users. 

Accordingly, the rejections of the aforementioned claims are sustained. 

Conclusion 

62. THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time policy as set 
forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 
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63. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Paul Kim whose telephone number is (571) 272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Christian Chase can be reached on (571) 272-4190. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC)at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Paul Kim 

Patent Examiner, Art Unit 2161 
TECH Center 2100 




SAM RIMELL 
PRIMARY EXAMINER 



